{"url":"http://public2.vulnerablecode.io/api/packages/73608?format=json","purl":"pkg:maven/org.assertj/assertj-core@3.27.7","type":"maven","namespace":"org.assertj","name":"assertj-core","version":"3.27.7","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49837?format=json","vulnerability_id":"VCID-449j-g7eq-bkcy","summary":"AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assertion\nAn XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values.\n\nAn application is vulnerable only when it uses untrusted XML input with one of the following methods:\n\n- `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert`\n- `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`","references":[{"reference_url":"https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html","reference_id":"","reference_type":"","scores":[],"url":"https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html"},{"reference_url":"https://github.com/assertj/assertj","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/assertj/assertj"},{"reference_url":"https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a"},{"reference_url":"https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24400","reference_id":"CVE-2026-24400","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-24400"},{"reference_url":"https://github.com/advisories/GHSA-rqfh-9r24-8c9r","reference_id":"GHSA-rqfh-9r24-8c9r","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-rqfh-9r24-8c9r"},{"reference_url":"https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r","reference_id":"GHSA-rqfh-9r24-8c9r","reference_type":"","scores":[],"url":"https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73608?format=json","purl":"pkg:maven/org.assertj/assertj-core@3.27.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.assertj/assertj-core@3.27.7"}],"aliases":["CVE-2026-24400","GHSA-rqfh-9r24-8c9r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-449j-g7eq-bkcy"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.assertj/assertj-core@3.27.7"}